From f4d0fbf42ed1818df099c375e43385ea63b08fd3 Mon Sep 17 00:00:00 2001 From: mg Date: Wed, 11 Sep 2019 20:29:34 -0300 Subject: [PATCH] Adding issuer validation. --- thrimshim/thrimshim/main.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/thrimshim/thrimshim/main.py b/thrimshim/thrimshim/main.py index 9566050..7a2aadb 100644 --- a/thrimshim/thrimshim/main.py +++ b/thrimshim/thrimshim/main.py @@ -43,13 +43,16 @@ def cors(app): def auth_test(): if flask.request.method == 'POST': userToken = flask.request.json['token'] + # Reference: https://developers.google.com/identity/sign-in/web/backend-auth try: # Alternate method, query this endpoint: https://oauth2.googleapis.com/tokeninfo?id_token=XYZ123 idinfo = id_token.verify_oauth2_token(userToken, requests.Request(), None) + if idinfo['iss'] not in ['accounts.google.com', 'https://accounts.google.com']: + raise ValueError('Wrong issuer.') + # ID token is valid. Get the user's Google Account ID from the decoded token. # userid = idinfo['sub'] - userEmail = idinfo['email'] return json.dumps(userEmail)